Lost+Found: Bug reports, eBay, anti-debugging and asterisks
Too short for news, too good to lose; lost+found is a round up of useful security information. Today, Bug reports, eBay, anti-debugging and asterisks
A strange vulnerability in NetBSD's pam_unix module: a normal user can change the root password if he knows the current root password.
Bruce Schneier has had enough of eBay: two attempts to auction his laptop were scuttled by attempted bidder fraud. He then switched to only accepting offers by email and sold it to someone who reads his blog.
Malware authors can prevent analysis of Windows malware with default-configured debuggers by using callbacks to 'thread local storage' functions (TLS). Windows executes TLS calls in the PE header, before venturing into the actual program, i.e. before the debugger actually starts to run.
Opportunities for shoulder-surfing are usually limited, especially on home and even on work computers. Displaying bullets or asterisks instead of plain text when entering passwords is more likely to cause users to enter the wrong password rather than aid security.